Post published by IT Pro Portal, 10 June 2016
As the frequency of cyberattacks and high profile data breaches continues to increase and make headlines, businesses are starting to realise that it’s no longer a case of ‘if’ they will be a victim, but ‘when’. Consequently, companies are adopting new cybersecurity measures and technology in the hope that it will minimise the impact a cyberattack or data breach can have on ongoing operations. The issue is that, as with any booming industry, there is a plethora of organisations contesting for their piece of the pie, each using the security ‘buzzwords’ and claiming to offer the utmost defence.
With so many layers of security and tactics for securing company data, it’s easy for companies to feel overwhelmed and pile on the security technology with little thought about how these work together and what’s actually being protected. This leaves both them and their data at risk as the technology may not provide as comprehensive protection as first thought. As such, there are three questions businesses must ask security vendors to really scrutinise the capabilities of their solutions.
Is encryption tied to identity and policy?
As encryption is almost useless if you can’t control who should access data, when they should access it and under which circumstances. For example, some vendors will claim that their offerings provide true ‘end-to-end’ encryption but sometimes this can simply mean basic HTTPS. A simple technology, it only provides encryption in transit meaning data remains readable on both the sender’s and recipient’s devices; a major flaw that leaves sensitive data accessible should either device become lost or stolen.
Businesses require more robust encryption to secure their sensitive data. For example, advanced data-centric encryption not only encrypts individual packets of data prior to it leaving the sender’s device and being sent to the server, but it also requires the recipient to prove their identity and meet specific policy requirements every time they wish to access the information. Without passing the checks the data remains unreadable, meaning should it fall into unintended hands, the new possessor won’t have sensitive information presented on a silver platter.
How granular are the access controls?
And where do audit trail capabilities truly stop? Businesses must have the ability to set specific access policy controls to individual packets of data, enabling them to set the requirements that must be met in order for encrypted data to become readable. They should also be able to amend the access controls at any time, with all subsequent access requests subjected to the new requirements.
However, businesses can’t ignore the fact that some files will be downloaded and they can then be shared and forwarded on to anyone without the company ever knowing – therefore bringing the audit trail to an end. To mitigate some of the risk, companies require the capability to set rules regarding downloading, or in the case of highly sensitive data – such as classified government documents – prevent it completely. This ensures that data remains within the secure walls of the network where it is more easily secured and businesses can monitor exactly who is accessing it, how long for and what they are doing; ensuring a true full audit trial.
While controlling access to data can go a long way to ensure data integrity, organisations must also have the ability to block access completely if they believe it to be at a truly high risk of being compromised. For example, in cases where information is being misused by employees or accessed by unauthorised individuals, companies can close the data off and give themselves time to investigate and respond accordingly.
There is also the risk of employees taking photos of classified documents and sharing them with outsiders which, other than through physical measures, can be difficult to mitigate. Companies should adopt technology that watermarks all documents meaning that, at the very least, any photo will be distorted and not easy to view.
And finally: the most important security question…
Finally, businesses must discover the level of visibility into data sovereignty provided and whether data location can change without their knowledge or approval. Many organisations find it difficult to identify where information is residing at any given time; and the challenge becomes even more complex when vendors trust data to cloud service providers (CSPs) which who often bounce it around their global data centres. This means that firms are unsure what regulations their data is governed by and, more worryingly, whether the data is potentially at risk from exposure to external parties.
While the incoming EU GDPR will result in many security vendors and CSPs relocating their data centres to within the EU – meaning all data will be governed by the one regulation – organisations still need to be able to identify the exact location of their data. For example, if an employee is travelling and can meet the specific requirements required to unlock data, they may be in a country with a reputation for ‘monitoring’, such as China. This means that, should access be granted, it’s highly possible that information could be viewed by external entities. This insight can be achieved through advanced geolocation. It provides organisations with complete visibility of their data’s whereabouts and, should it be within a country that is considered risky, enables them to lockdown access to it all together.
Ultimately, as companies continue to collect more data on their own customers and wider consumer base, data stores are growing and containing more sensitive information. The potential costly ongoing ramifications of a cyberattack or data breach are forcing businesses to invest heavily in cybersecurity, but not all variants are created equal and consideration must be made for how it integrates. As part of a comprehensive security strategy, firms must place vendors under increased scrutiny, asking the questions which reveal the true capabilities of the technology. Only then can organisations ensure that they aren’t being lulled into a false sense of security over the protection of data.